1. Customer tools for the road ahead
SHIFT YOUR LANDESK
INVESTMENT
INTO OVERDRIVE
Learn more at
Momentum.LANDESK.com
2. C a r s o n P l a t e r o
C o n s u l t a n t
L A N D E S K P r o f e s s i o n a l S e r v i c e s
LANDESK Patch Manager 2016
3. Agenda
What’s new in LANDESK Patch Manager 2016
Getting started
How we scan and remediate
Understanding the Patch and Compliance Tool
Configure devices
Managing Security Content
Scanning devices
Patching devices
4. LDMS Improvements to Patch Manager - Summary
Improved Charts
Improved Patch Definition Group
options
Ability to provide Tags for Definitions
Integration with Rollout Projects tool
Improved Icons
5. Dashboards and charts
Double-click to create a related
query
Chart colors – can choose from
different themes
Display the dashboard in a
separate window
Copy to clipboard as an image
6. Download updates improvements
Apply group settings by Definition Type
and Severity
Actions available:
Assign Scan Status
Assign Autofix Status
Add to Custom Groups
Assign Tags
Add to rollout projects
7. Definition Tagging
Add one or more tags to patch
definitions
Add specifics tags based on
Download Updates Definition
group filter criteria
Integration with Rollout Projects
Tool
9. Main tasks for configuration Patch and Compliance
o Configure the LANDESK Agent Security and Compliance Settings
o Download vulnerability definitions from a LANDESK Content Server
o Create a scan job to detect vulnerabilities in your environment
o Use the scan results to determine what you are going to patch in your
environment
o Download patches for detected vulnerabilities
o Repair detected vulnerabilities by installing patches to affected devices
o View reports to see patch status and repair history
13. Selecting and downloading content types
Vulnerability Content
LANDESK Content comes in different categories.
A regular schedule should be configured to
download Security and Patch content at regular
intervals.
Different content types can have separate download
tasks.
14. Managing downloaded content
Many customers patch monthly.
Definition Group Setting can be used to sort definitions into groups and rollout
projects.
15. New distribution group settings options in LDMS 2016
LDMS 2016 offers great flexibility in organizing downloaded content automatically
New tabbed interface in the Download Updates tool
Filter
Scan
Autofix
Groups and Tags
Rollout Projects
18. Which Patches Should I Deploy?
11,000+ Windows Vulnerabilities
Severity
Microsoft NA – carefully review before deploying
Use Filters
Suffixes
_Manual
_Upgrade
_Fixit
_Detect_Only
_All_Updates
22. Configuring Agent Settings
The Agent Configuration settings are in the Agent Configuration Tool
These settings control the behaviors of the settings when scanning and repairing vulnerabilities on the client.
These settings include such things as whether or not the user will see the Vulnerability Scanner interface,
options to defer repairs, reboot behaviors, scanning and repair schedules, etc.
23. Patch Maintenance
Meaningful Name
State AND Time
Windows Only
Scan and Download
Now
RepairReboot
in Window
Reboot Settings
Must Agree
24. Pre-Repair / Post-Repair
Succeeded=true
Or Zero (0)
Message=“Hello World”
If running script depends on file being there or access to
share
26. Scanning Devices
Scanning of your devices can be started in several ways:
1. Right-click computer and select “Patch and Compliance scan now…”
2. Regular schedule driven by the local scheduler on the client
3. Running Vulscan.exe (Vulnerability scanner) from the command line
4. As part of a repair by right-clicking on a group and clicking “Repair”
(In this case the scan and the repair will both be run in succession)
Typically vulnerability scans should be run daily.
27. Reviewing scan results
After scanning your environment, those vulnerabilities that have been
found will show up in the Detected section of the tree.
You can then take action on them by multi-selecting and then choosing
right-click repair, or drag them into a group, etc.
28. Repairing vulnerabilities
Repairing vulnerabilities can be initiated in several ways
including the following:
Right-click definitions and choose “Repair” (Up to 100 at a time)
Right-click a group and choose “Repair” (Can be greater than 100)
Autofix (or Autofix by Scope)
As part of a rollout project
29. Repair by Group
Dynamic
Can contain more than 100 definitions
Will repair definitions at that level or below
Useful for repairing baseline plus recent tested patches
31. Clean Repair History
Right-Click Device -> Security and Patch Information
Clean/Repair History
Lookup Wusa.exe and MSIExec errors
Patch Download – make sure core has downloaded patch
32. Reboot and Try Again (Why!)
Detection is often based upon file scanning
Without a reboot old file is still in place
If after a reboot a definition is still detected, try running it
manually on the workstation.
Possibly a more useful error message will display